Content uploaded by Ichiro Koshijima
Author content
All content in this area was uploaded by Ichiro Koshijima on Oct 10, 2017
Content may be subject to copyright.
/sco4:/jobs2/ELSEVIER/cace/week.15/Pcace1809y.001;/sco4:/jobs2/ELSEVIER/cace/week.15/Pcace1809y.002
Computers and Chemical Engineering 000 (2000) 000–000
An approach to potential risk analysis of networked chemical
plants
Akio Shindo
a
, Hiroshi Yamazaki
b
, Akifumi Toki
c
, Ichiro Koshijima
d,
*,
Tomio Umeda
d
a
Department of Management Information Systems,Nagoya Uni6ersity of Commerce and Business Administration,Japan
b
Industrial Systems Department,Project Systems Di6ision,JGC Corporation,Japan
c
SI Technology Center,Chiyoda Corporation,Japan
d
Department of Project Management,Chiba Institute of Technology,
2
-
17
-
1
Tsudanuma,Narashino,Chiba,Japan
Abstract
In order to cope with severe competition in the global market, the local area network installed inside the plant site has been
connected with the Internet for exchanging business information among globally distributed plant sites. Though the information
systems have given benefits through such open architecture, there are various risks as the result of the application of network
technologies. Much attention, therefore, has to be paid for chemical plant failures caused by triggering from outside parties. One
of the common technological interests is a risk analysis method of network events that allows illegal access to the digital control
system (DCS). In this paper, the authors present a unified approach to generate fault tree and event tree structures between a
network access and an anomaly of process plant. To illustrate the validity of the proposed method, a typical networked chemical
plant is taken as an example and analyzed. The present research will make clear what parts are most important for the plant
security. © 2000 Elsevier Science Ltd. All rights reserved.
Keywords
:
Networked plants; Risk analysis; Fault tree analysis/Event tree analysis; Cyber terrorism
www.elsevier.com/locate/compchemeng
1. Introduction
In the past two decades, chemical plants have been
operated with highly integrated computer networks.
Due to the rapid change of production demands, infor-
mation regarding customers’ need has to be collected
on real time basis to cope with severe competition in
the global market. Many companies have to organize
globally distributed manufacturing sites, which share
the role of companies’ production and sales of chemical
products. In order to create an agile manufacturing
system, the local area network installed inside the site
has been connected to the internet for exchanging busi-
ness information among globally distributed plant sites
and deployed as an intranet. Though the information
network systems have yielded benefits through such
open architecture, there are various risks as the result
of the application of network technologies. One typical
risk is an operational trouble caused by attacking cyber
terrorists. Under the circumstance of open network, it
is very important to maintain the systems to be on the
high level of information security, because operational
decisions on a computer-integrated chemical plant have
been relied upon business information obtained
through the Intranet. This means that there are some
potential risks for chemical plant operation to be dis-
tributed by the undesired impacts from outside the
manufacturing sites. Though the scope of chemical
plant safety has been limited within the plant sites in
the past, much attention has to be paid for chemical
plant failures caused by triggering from outside parties.
This paper is concerned with plant safety form the
viewpoint mentioned above. One of the common tech-
nological interests is the event sequence analysis with
system dynamics. The attackers will try to cause fail-
ures by triggering from computer network due to open
network architectures. The troubles of plant operations
have to be avoided by maintaining the high level of
security. The present research will make clear what
* Corresponding author.
E-mail address
:
ikoshi@roy.hi-ho.ne.jp (I. Koshijima)
0098-1354/00/$ - see front matter © 2000 Elsevier Science Ltd. All rights reserved.
PII: S0098-1354(00)00327-6
/sco4:/jobs2/ELSEVIER/cace/week.15/Pcace1809y.001;/sco4:/jobs2/ELSEVIER/cace/week.15/Pcace1809y.002
A.Shindo et al.
/
Computers and Chemical Engineering
000 (2000) 000–000
2
parts are most important from the viewpoint of plant
security.
2. Problem statement
In a design phase, the fault tree analysis (FTA) gives
satisfactory results for a risk analysis of large chemical
plants. To proceed the FTA, it has been assumed that
process equipment and operator’s actions are the analy-
sis targets and a digital control system (DCS) should
work correctly without hardware and software errors.
These assumptions have been appropriate so far, be-
cause the DCS has been designed as a private system by
DCS vendors and has only been accessed by secured
operators. It is, however, difficult to assure integrity of
open-networked chemical plant, because there are some
degrees of possibility that the DCS is accessed or
falsified by outsiders through the network as shown in
Fig. 1.
In order to extend the framework of plant risk
analysis to the associated network, it is necessary to
define system boundaries, i.e. physical boundaries and
logical boundaries.
2
.
1
.Physical boundaries defined by related equipment
There is no objection to select ‘‘ the Internet router
to be a target of attack’’ as the outer battery limit of
the system. Fig. 2 shows a possible intruding path from
the router to critical information inside the plant by
breaking through security gates shown in Fig. 1. In Fig.
2, intrusion takes time from left to right and increase
the degree of risk from bottom to top. According to
Fig. 2, security gates are broken in node C1 (fail in
access control), C2 (intrude to network), D2 (get higher
user ID) and/or E3 (intrude to DCS). The plant, how-
ever, is shutdown normally with interlocks and other
safety devices installed in the plant, and is led to node
D6 (normal operation with isolated DCS), E6 (normal
shutdown triggered by interlock). The plant may fall
into a real abnormal state in the node H6 (fatal acci-
dent). There is a potential risk that F3 (intrude to DCS)
may cause F4 (alter control parameters), because E3 is
the final gate. Therefore, the inner battery limit of the
system shall be ‘DCS to be a target of intrusion’.
2
.
2
.Logical boundaries defined by a possible scenario
Though there are various scenarios for intrusion to
the network, the following scenario shown in Fig. 3 is
the essence of intrusion. In this scenario, there are the
following six steps:
1. access to a network PC;
2. log into a computer that can change DCS functions;
3. execute a command that can change DCS functions;
4. output wrong control signals;
5. make wrong actions;
6. generate process anomalies.
3. Applied method
In the present study, the authors would try to extend
FTA by covering the following technical issues.
1. Dynamics caused by structure change
Fig. 1. Typical configuration of networked chemical plant.
Fig. 2. Structure of security risks on networked chemical plant.
/sco4:/jobs2/ELSEVIER/cace/week.15/Pcace1809y.001;/sco4:/jobs2/ELSEVIER/cace/week.15/Pcace1809y.002
A.Shindo et al.
/
Computers and Chemical Engineering
000 (2000) 000–000
3
Fig. 3. Concerned scenario for FTA from an illegal access to process
anomalies.
to process anomalies propagated among three subsys-
tems, two-step approach should be taken to generate a
tree structure in FTA.
1. First step: plant-side FTA
As the top event, process anomalies should be
assumed and bottom events should be control
information in the control logic for DCS.
2. Second step: network-side FTA
Its top events should be target control informa-
tion in the control logic file and bottom events
should be login to a certain PC on the network.
3
.
1
.Plant-side FTA
Various approaches on fault tree (FT) synthesis
(Kuo, Hsu & Chang, 1997; Lapp & Power, 1997) have
been proposed in the literature for process plants. How-
ever, there is no report that extends bottom events of
fault tree to either control logic or its control parame-
ters. To generate FT for plant-side, at least following
tasks should be performed.
1. Specification of process anomaly.
2. Extraction of control devices related to the anomaly
using a cause and effect network transformed from
P&ID.
3. Extraction of related logic codes and its linkage by
tracing inputs and outputs connection among stored
logic as shown in Fig. 4.
4. Synthesis of fault tree based on the extracted logic
path, inputs, outputs or parameters as shown in Fig.
5.
5. Identification of DCS files that store the following
information
Fig. 4. Extraction of logic path form field devices to top DCS logic.
Fig. 5. Synthesis of fault tree for logic code.
Especially network system changes its physical
configuration by adding or removing network
devices and changes its logical configuration by
starting and stopping network devices;
2. Dynamics caused by event propagation
The control logic bridges event propagation
among process plant, DCS and network devices.
In the configuration shown in Fig. 1, the overall
system is divided into three subsystems, such as the
network subsystems, DCS subsystem and the plant
subsystem. Because the causes of troubles from a login
/sco4:/jobs2/ELSEVIER/cace/week.15/Pcace1809y.001;/sco4:/jobs2/ELSEVIER/cace/week.15/Pcace1809y.002
A.Shindo et al.
/
Computers and Chemical Engineering
000 (2000) 000–000
4
Fig. 6. Model of authentication mechanism.
3
.
2
.Network-side FTA
On the network, various devices, files, commands
and applications are directly or indirectly related to the
potential risks, if they are not properly managed. It is
difficult to examine all factors respectively, because of
their diversity. To cope with this diversity, a unified
model should be developed. On most operating sys-
tems, every computing resource is managed as a file
image and, therefore, authentication of file access is a
key factor for risk management.
The authentication mechanism is modeled as shown
in Fig. 6. In this model, every command accesses a file
image with referring file’s restriction and user’s privi-
lege. After passing security check gate, the file is iden-
tified as a device, command or data-file. This model,
therefore, can be recursively applied to generate a fault
tree for any devices, data-file, commands, applications
and their combinations.
To generate FT for network-side, the following tasks
should be performed by using the above model.
1. Extraction of login-paths
It is necessary to specify how to reach the target
hosts by using host’s and user’s information.
Step 1: Extraction of computers that can commu-
nicate with the target computer.
Step 2: Specification of users who can log in to
the extracted computer in Step 1.
Step 3: Extraction of computers that can be re-
motely logged in by the specified user in Step 2.
Step 4: Extraction of all possible combinations of
computers and users by repeating the above three
steps.
2. Extraction of file access paths
When login-path are extracted, it is necessary to
specify how to reach the target file (or command)
and how to change the target information.
Step 1: Specification of target file
Step 2: Extraction of all files by using the authen-
tication model mentioned above.
Step 3: Generation of all possible linkages of files
by repeating the above two steps.
Step 4: Synthesis of fault tree structure where all
files related to the target files are interpreted as a
fault tree.
Step 5: Synthesis of event tree structure where
Fig. 7. Combination of fault tree and event tree for security check
structure.
Fig. 8. Integrated FTs for networked chemical plant.
5.1. inputs or outputs located at the end of the
above fault tree;
5.2. all parameters;
5.3. all logic codes.
Fig. 9. Simulation environment.
/sco4:/jobs2/ELSEVIER/cace/week.15/Pcace1809y.001;/sco4:/jobs2/ELSEVIER/cace/week.15/Pcace1809y.002
A.Shindo et al.
/
Computers and Chemical Engineering
000 (2000) 000–000
5
Fig. 10. Overview of LNG receiving terminal simulator.
/sco4:/jobs2/ELSEVIER/cace/week.15/Pcace1809y.001;/sco4:/jobs2/ELSEVIER/cace/week.15/Pcace1809y.002
A.Shindo et al.
/
Computers and Chemical Engineering
000 (2000) 000–000
6
each security check is described as an event node.
Step 6: Synthesis of combined tree of the above
event trees and fault trees as shown in Fig. 7. In
Fig. 7, security checks A, B and C show event
gate that triggers anomaly, and fault trees FT-A,
FT-B and FT-C estimate probability of the event,
respectively.
After generating the plant-side FT and the network-
side FT, two FTs are integrated as shown in Fig. 8.
4. Illustrative example
In this section, the application of the proposed
method to a critical life-line plant will be presented. A
LNG receiving terminal and its evaporating plant is
selected for evaluation, because LNG becomes a major
clean energy resource for electric power plants in Japan.
Its supply also plays an important role in an indepen-
dent power business that requests demand-based opera-
tion (a kind of supply chain management).
In order to evaluate the proposed method, we devel-
oped a plant dynamic simulator, a DCS simulator and
a network simulator as shown in Fig. 9. Each simulator
is intensively modeled by taking an actual configuration
and function of typical LNG receiving terminal into
consideration. The system feature of each simulator
implemented on Gensym G2 is shown as follows (Fig.
10).
1. Plant simulator:
It simulates process dynamics and malfunction of
process and control devices. It includes 285 pro-
cess equipments with 204 control devices.
2. DCS simulator:
It simulates DCS control function including auto-
matic start-up, shut-down and demand based load
control for open rack vaporizer (ORV). It exe-
cutes 170 DCS logics with 961 inputs and 1197
outputs.
3. Network simulator:
It simulates three major functions.
3.1. UNIX OS functions including file access,
network access and command execution.
3.2. Computers and network devices on the plant
network.
3.3. Network connection.
Plant simulator and DCS simulator are located on
machine-A and DCS simulator on machine-B. Ma-
chine-A and B are connected by ethernet. Man-machine
I/F (MMI) is also installed for emergency training
programs.
Authentication mechanism of commands selected,
such as UNIX ‘su’, are analyzed and modeled as shown
in Fig. 11. In this example, ‘user-name’ and ‘passward’
are the input information; ‘su’ and ‘passwd’ are execu-
tion commands to change the current user status.
The prototype tool is installed on machine-B. In
order to assess a network risk, top event has to be
selected and the tool automatically synthesizes a plant-
side FT. Fig. 12 shows an example of plant-side FT
where the top event is an anomaly on the outlet pres-
sure control. Eight parameters, ten process variables,
eleven calculated variables and eight control logics
stored in the DCS are listed as bottom events of the
FT. Because these data may be stored in several sepa-
rate data-files or working memory in practice, a single
break affects several items at once.
In the prototype tool, user can interactively select a
popup-menu on each bottom event to create a network-
side FT. Fig. 13 shows a part of generated network-side
FT for accessing the main header pressure, and shows
all possible paths and command sequences to change
the main header pressure. A rhombus on the figure
shows an event gate, and number of rhombus on the
path qualitatively shows a difficulty for illegal
intrusion.
5. Concluding remarks
A FTA-based risk analysis method on a networked
chemical plant has been developed and its core al-
gorithms were evaluated on a realistic environment.
Because the proposed method consistently synthesizes
the fault trees on both plant and network, the quality of
risk assessment can be significantly improved.
Further study is, however, necessary to practically
define probability of fault data for computer operation
and network access to settle a secure DCS environment
against emerging internet era.
Fig. 11. Example of security check mechanism.
/sco4:/jobs2/ELSEVIER/cace/week.15/Pcace1809y.001;/sco4:/jobs2/ELSEVIER/cace/week.15/Pcace1809y.002
A.Shindo et al.
/
Computers and Chemical Engineering
000 (2000) 000–000
7
Fig. 12. Generated plant-side FT for anomaly on outlet pressure control.
Fig. 13. Generation of network-side FT for a specified control parameter.
Acknowledgements
The author wish to express sincere appreciation to
the Ministry of International Trade and Industry and
the Information-technology Promotion Agency, Japan
for supporting the present study and for permitting the
publication of this paper. We also express sincere ap-
preciation to MITI’s Committee on the Large Scale
Plant Network Security for their valuable feedback.
References
Kuo, D. H., Hsu, D. S., & Chang, C. T. (1997). Computers &
Chemical Engineering,
21
, S923.
Lapp, S. A., & Power, G. J. (1997). IEEE Transactions of Reliability,
R-26
,2.
.